Stronbox website will be moving to https://www.comglobalit.com/en/strongbox/ in the next weeksStrongbox Support Email: strongbox@comglobalit.comSupport Contact: Elias Torres, Comglobal IT S.A.
--
Clonebox website will be moving to Clonebox.net
Clonebox Email: Ray Morris: support@bettercgi.com

The Strongbox Security SystemTM FAQ

How does it work?

Quite well.

No, really, how does it work?

It generates a cryptographically secure time
limited one time pass tied to certain identifying characteristics
of the users browser. That's about all I'll say on that subject
until the patents are secure.

The Strongbox Security SystemTM sounds like everything
I'm looking for, and therefore, too good to be true. But I understand
that you are well-known in the adult internet business, and that's
encouraging.

I have been around a while (since 1997) and I think you'll hear from
other people that what I say about the product can be relied upon.
I also try to be sure to mention the less positive aspects, such as it
being a bit of a pain to set up. This is one of the main reasons we
always do the installations for you.

Is it a flat fee or monthly? Are there any setup fees?

The license/setup fee is a flat fee per site, with no monthly
charges. This includes 30 days free email and telephone support.
The wiki is always free, of
course. For sites with greater support needs, it's become necessary
to offer an Annual Support Offer.
This is very inexpensive compared to services that provide much
less functionality and charge a monthly fee. Some people wonder why
it's so inexpensive if it's so good. There are two reasons. First,
we use and believe in free software such as Linux. We can't give the
Strongbox Security SystemTM away free and still pay the rent,
but we do believe in giving webmasters the best deal possible. Secondly,
our pricing reflects the fact that most webmasters trust my judgment and
simply place an order, without needing several hours of meetings or phone
calls to make a decision. In the corporate world it is common to spend
far more time in discussions than actually doing anything. Thus many
vendors prices reflect the fact that they expect to spend several hours
with you regarding each purchase. We don't write formal proposals and we
don't have meetings, so we can charge only for the actual program. (Ongoing
support IS available, but very extensive support may be charged
separately.)

I'm assuming that the Strongbox Security SystemTM will run on
Linux/Apache. Is it a compiled application? A set of mod_rewrite rules?
PHP or Perl?

The Strongbox Security SystemTM is designed for Linux and Apache
and is also running on BSD systems. The normal installation consists Perl
scripts, rewrite rules and just a bit of self-compiling C code. There is
also an Apache module version available for specialty uses.

I understand the Strongbox Security SystemTM produces a log file
of sorts. How do you configure it? Or will I be able to alter its configuration
after you've installed it?

It does produce a log of logins for each site, which by default is in the the
Strongbox Security SystemTM installation directory. This log
generally remains very small and thus doesn't require any maintenance. The
only configuration option for the log is its location. Like all configuration,
that is set via a simple variable in config.pl. For more information, please see
our reporting and member management
module.

Does the Strongbox Security SystemTM require a connection to your server,
like older IP counting systems? When my existing service goes down it takes my site
down with it.

Unlike less capable systems, the Strongbox Security SystemTM runs entirely
on your server and does NOT depend on a connection to our servers. I believe it's
totally unacceptable to create a situation where your members can't login to your site
just because the company providing your password monitoring service is down.

Update - the optional origin country analysis and reporting and real time proxy
detection systems make use of our high speed servers, but do NOT depend
on them being available. If our server was down for some reason, your users could
still login normally. The Strongbox Security SystemTM simply would
not make use of origin country analysis during the downtime. As the Strongbox
Security SystemTM is the only known system to ever
do use this analysis, leaving that part out just makes it three times as effective
as other systems rather than four times as effective, like it normally is.

My current system, for which a pay a monthly fee, often disables legitimate members
of the site. Does the Strongbox Security SystemTM do that a lot?

That has been a big problem with the old "band-aid" services for years. In part,
it's due to their approach of trying to patch up the holes inherent in the basic
username / password authenticate method. Kind of like trying to plug the holes
in a chain link fence, it doesn't work very well and there are often errors. By
replacing that old chain link fence with a modern wall of protection, the Strongbox
Security SystemTM is not limited by the old system, which was specifically
designed to be insecure. It can therefore be far more accurate about which requests
to allow and which to block. For example, the Strongbox Security SystemTM
can analyze which countries login requests are coming from, something that the monthly
fee services cannot do because of the hit-by-hit analysis which their old fashioned
approach requires.

Also, the Strongbox Security SystemTM doesn't just permanently kill a
username when it sees the first signs of possible abuse. Unlike the clumsy services
that you may be accustomed to, the Strongbox Security SystemTM takes a more
measured and precise approach. The Strongbox Security SystemTM has two
stages of defense for shared passwords. When it detects a username/password that
has probably been compromised, it suspends that username temporarily. At that point
it also takes action to reduce the potential load put on your server should there be
an extremely large number of people hitting your server, trying, (and failing), to
access with that username. If several more people continue to try to login with
that same username, the Strongbox Security SystemTM permanently disables
the password. It then emails you to let you know that it has detected and taken
care of the problem. That doesn't happen all too often because the password sites
normally delete the username within an hour after the Strongbox Security
SystemTM suspends it.

What are these "open proxies" that people tell me the hackers use?
~or~
Besides replacing usernames and passwords with secure tokens, how is the Strongbox
security systemTM so much more effective than older IP counting systems?

An http proxy is a server that let's you surf the web through it. Your computer
connects to the proxy and tells the proxy what page you want to see. The proxy
gets the page for you and forwards it on to you. From the server's perspective,
you are invisible - it only sees the address of the proxy. When people do a brute
force, or "hurling", attack, they might use 20 different proxies, so the server
sees the requests coming from 20 different IP addresses. They do this to fool older
"naive" software, which merely counts how many times a certain IP has
tried a different username and password. These older, simpler "patch up" systems
will let each of the attackers IP addresses guess many usernames each hour, never
recognizing that the guesses from the 20 different IPs are all coming from the same
person and their brute force, or "hurling" software.
The Strongbox Security SystemTM isn't so easily fooled. The Strongbox
Security SystemTM blocks these open proxies right away. There are some
legitimate proxies. For example, AOL uses proxies so they don't have to have
different IPs for each user. Legitimate proxies that you want to let through,
though, are closed proxies - AOL proxies, for example, can only be used by AOL
customers. Companies set up legitimate proxies so that only their employees or
customers can access them. Script kiddies, hackers, and other undesirables don't
pay for access to 20 different proxies from 20 different companies, of course.
Instead they use servers that have been misconfigured or hacked so that anyone
can use them as a proxy, or one of a couple proxies put up by nefarious
characters specifically for the purpose of allowing various kinds of wrong doing
to be accomplished without showing the perpetrators IP address. These proxies
which anyone can access are called open proxies. As they are often used by
people attacking sites and rarely or never used by legitimate users, the
Strongbox Security SystemTM blocks access from these open proxies.
Note -
This proxy defense module was originally designed as an extra cost option to
enhance the Strongbox Security SystemTM's already high resistance to
these types of attacks. We have decided to include this module as a free bonus
with every the Strongbox Security SystemTM installation right now.

How do I know that it's really as good as you say? Do you have any references?

I encourage you to search your favorite webmaster boards to see what people say
about "Ray" and "the Strongbox Security SystemTM", but here's a few
posts to get you started:

Upgrades are available at any time with a $25 installation fee. The $25 upgrade
applies to the same "major version" that you purchased. That is, if you purchase
any 3.x version you can upgrade to the current 3.x version at any time. A 3.x
license will not necessarily entitle you to a 4.x upgrade. 4.0 may be a very
different product with different features and very different pricing.

Does it limit the user bandwidth wise? Or page-view-wise?

It doesn't limit on either page views or bandwidth. The Strongbox security
systemTM uses a much smarter approach. Normally, when people start
talking about bandwidth limiting, what they are really wanting is some
protection against "slurping", programs that bulk download your whole site.
The Strongbox Security SystemTM stops slurping directly, which is far
more effective then bandwidth limiting, without the problems caused by bandwidth
limiting. Neither page count or bandwidth limiting works, and both put a
significant strain on your server tracking and recalculating bandwidth for each
user with every hit.

You can't limit based on the number of files requested, because with thumbnail
pages having 40 thumbs on a page it's perfectly normal for the user to request
120 files in one minute. You can't limit based on html pages, because the
slurper isn't going to request all that many html pages, he's just going to
grab every single pic from each of your gallery pages. Besides you gallery page
URL may well be something.cgi or something.php. How is the script to know
whether .cgi or .php is an html page or image? You can't limit on bandwidth
because you want your user to be able to download a 150 MB mpeg, and get it
downloaded as fast as his cable modem will allow. You don't, however, want to
let that guy on a much slower connection to download 150 MB of pics every night.
On top of all this, if you limit based on either of page hits or bandwidth,
you only catch them after they have already done the damage! By the time you
detect that they've downloaded 300 MB of stuff in the last hour and you want to
kick them out, they've already hit you for 300 MB and put that strain on your
server for an hour.

Not only have they strained your server for an hour with such methods, but there
will always be a significant strain caused by your protection scheme. Every
single time someone requests a page or image the system has to take that
information and analyze it with respect to all of the other hits over the last
hour to see if the person is over their limit. The Strongbox security
systemTM uses a much smarter approach. The Strongbox security
systemTM blocks slurping software based on the fact that it is
slurping software and not a human, often within seconds of the time they start
slurping, before they've even downloaded 1 MB. The the Strongbox security
systemTM anti slurp algorithm is well described by looking at every
part in that definition - "slurping software and not a human". The Strongbox
security systemTM looks to see if it's slurping, hitting every link on
the page. the Strongbox Security SystemTM also looks to see if it's
software as opposed to a human. Software extracts links, humans click links.
If the link was extracted programatically, they are blocked. If the link was
clicked, they are not blocked.

So, does strongbox work with the .htaccess file?

The Strongbox Security SystemTM does NOT use the old fashioned
.htaccess directives like "AuthUserFile" and "require valid-user". The Strongbox
security systemTM DOES use its own special directives in a .htaccess file.

Does it require a special login page?

Because of the weaknesses inherent in the old fashioned "mod_auth" gray box pop-up,
the Strongbox Security SystemTM replaces that system with one in which
the user actually logs in through a special login page and thereafter the Strongbox
security systemTM recognizes the user based on their session ID and system
fingerprint. See the above question "How does the Strongbox Security SystemTM
compare to PennyWize?".

How does the Strongbox Security SystemTM work with iBill, CCBill, and
other processors?

The Strongbox Security SystemTM is compatible with all known processors,
and can be used with many different processors on one site. There is no need to
reconfigure the Strongbox Security SystemTM if you change processors.
Each processor writes the password list to a password file, normally named ".htpasswd".
The Strongbox Security SystemTM then reads that file to see if the entered
password is correct. Note that the Strongbox Security SystemTM never changes
the password file, only reads it. Unlike other systems on the market, the Strongbox
security systemTM can work with multiple password files from different
providers, username/password databases such as that created by V Bulletin, or remote
password verification servers such as AVS systems. The Strongbox security
systemTM will work with any AVS. Currently only Adult Check and Hentai Key
provide native Strongbox Security SystemTM support on their servers, which
makes using those AVS systems somewhat more convenient. A note about SexKey, though -
the owner of SexKey, Hank Freeman, indicated that he thought the Strongbox security
systemtm would be a good thing to use. A few months later, a SexKey employee
named Mark Sender terminated the account of one of SexKey's first webmasters,
claiming that using the the Strongbox Security Systemtm login script violated
SexKey's terms. Caveat webmaster.